EUVD-2026-25026

A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes tostringlossy when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8...

EUVD-2026-25020

A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference or -n flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force overwrite mode was also enabled. Thi...

GHSA-VX9M-XJWF-8CQM uutils coreutils has an Improper Handling of Unicode Encoding Issue

A logic error in the split utility of uutils coreutils causes the corruption of output filenames when provided with non-UTF-8 prefix or suffix inputs. The implementation utilizes tostringlossy when constructing chunk filenames, which automatically rewrites invalid byte sequences into the UTF-8...

GHSA-4WRP-79M8-9M9P uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition

A Time-of-Check to Time-of-Use TOCTOU vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiating the split operation. However, the utility subsequently...

uutils coreutils has an Improper Input Validation Issue in its env Utility

A logic error in the env utility of uutils coreutils causes a failure to correctly parse command-line arguments when utilizing the -S split-string option. In GNU env, backslashes within single quotes are treated literally with the exceptions of \ and '. However, the uutils implementation...

uutils coreutils has an Incorrect Provision of Specified Functionality Issue in its cut Utility

A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s only-delimited flag when using the -z null-terminated and -d '' empty delimiter options together. The implementation incorrectly routes this specific combination through a specialized newline-delimiter code...

uutils coreutils has a UNIX Symbolic Link (Symlink) Following issue

A logic error in the ln utility of uutils coreutils allows the utility to dereference a symbolic link target even when the --no-dereference or -n flag is explicitly provided. The implementation previously only honored the "no-dereference" intent if the --force overwrite mode was also enabled. Thi...

uutils coreutils has an Incorrect Provision of Specified Functionality Issue

A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the :graph: and :print: character classes. The implementation mistakenly includes the ASCII space character 0x20 in the :graph: class and excludes it from the :print: class, effectively reversing the...

uutils coreutils has a Time-of-check Time-of-use (TOCTOU) Race Condition

A Time-of-Check to Time-of-Use TOCTOU vulnerability exists in the split utility of uutils coreutils. The program attempts to prevent data loss by checking for identity between input and output files using their file paths before initiating the split operation. However, the utility subsequently...

uutils coreutils has an Improper Handling of Unicode Encoding Issue

A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms e.g., ln SOURCE... DIRECTORY. While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation...

GHSA-FHR3-XH3Q-69W6 uutils coreutils has an Incorrect Provision of Specified Functionality Issue

A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the :graph: and :print: character classes. The implementation mistakenly includes the ASCII space character 0x20 in the :graph: class and excludes it from the :print: class, effectively reversing the...

GHSA-M2PG-C7M6-77PJ uutils coreutils has an Improper Input Validation Issue in its cut Utility

A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' two single quotes as an empty delimiter. The implementation mistakenly maps this string to the NUL character for both the -d delimiter and --output-delimiter options. Th...

GHSA-XH5H-P8C5-4W4X uutils coreutils has an Improper Handling of Unicode Encoding Issue

A logic error in the ln utility of uutils coreutils causes the program to reject source paths containing non-UTF-8 filename bytes when using target-directory forms e.g., ln SOURCE... DIRECTORY. While GNU ln treats filenames as raw bytes and creates the links correctly, the uutils implementation...

GHSA-V762-X3CF-5MFG uutils coreutils has a Link Following Issue Via rm Utility

A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protection. The implementation uses a path-string check rather than comparing device and inode numbers to identify the root directory. An attacker or accidental user can bypass this safeguard by using a...

EUVD-2026-25017

An argument parsing error in the kill utility of uutils coreutils incorrectly interprets kill -1 as a request to send the default signal SIGTERM to PID -1. Sending a signal to PID -1 causes the kernel to terminate all processes visible to the caller, potentially leading to a system crash or massi...

EUVD-2026-25002

The touch utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use TOCTOU race condition during file creation. When the utility identifies a missing path, it later attempts creation using File::create, which internally uses OTRUNC. An attacker can exploit this window to create ...

EUVD-2026-24996

The cp utility in uutils coreutils is vulnerable to an information disclosure race condition. Destination files are initially created with umask-derived permissions e.g., 0644 before being restricted to their final mode e.g., 0600 later in the process. A local attacker can race to open the file...

EUVD-2026-24994

A Time-of-Check to Time-of-Use TOCTOU vulnerability exists in the install utility of uutils coreutils when using the -D flag. The command creates parent directories and subsequently performs a second path resolution to create the target file, neither of which is anchored to a directory file...

EUVD-2026-24982

The cp utility in uutils coreutils fails to properly handle setuid and setgid bits when ownership preservation fails. When copying with the -p preserve flag, the utility applies the source mode bits even if the chown operation is unsuccessful. This can result in a user-owned copy retaining origin...

EUVD-2026-24980

The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect, causing an immediate crash when encountering valid but non-UTF-8 paths. This diverg...